In order to survive recent global challenges, many organizations adopted a blend of on premises, work-from-home, and third-party collaborations. This rapid shift to distributed work, along with radical changes in human behavior, is expanding digital risk for organizations and creating new opportunities for malicious actors: according to Forbes, Internet use was up between 50 and 70 percent, and streaming media jumped more than 12 percent in the first quarter of 2020. This surge in Internet consumption – and our heightened dependency on the Internet to work, play, and connect – has also contributed to the rise of Distributed Denial of Service (DDoS) attacks.
A recent report by Cambridge University’s Cybercrime Centre shows a three-fold increase in DDoS attacks, with the Centre now tracking around 30,000 attacks every day. Interestingly, this change is due to new malicious attackers driving the increase, as opposed to existing cybercriminals.
Accordingly, many organizations are now realizing that DDoS defense is critical to maintaining operations and ensuring a delightful customer experience. Nothing quite detracts from a customer’s experience than a DDOS attack!
A DDoS attack is where several compromised systems attack a single target, causing that system to slow down, become unresponsive, or shut down. The effect is to deny its users the ability to use it. This is achieved is by simply overwhelming the system with a flood of traffic from multiple sources. Originating in 1988 with the ‘Morris worm’, it is one of the earliest and most powerful weapons on the Internet.
DDoS attacks have and continue to be a popular method of cyber-attack, in large part due to their simplicity, low cost, and anonymity.
While DDoS defense is re-emerging as a critical factor in maintaining operations, organizations should realize that DDoS attacks are not evenly spread across industries. For example, gaming and gambling sites have traditionally been the main targets of DDoS attacks. However, as we saw during the pandemic, threat actors never waste a good crisis: DDoS attacks on infrastructure providers – such as the massive 2.3TB per second attack on Amazon Web Services, the largest such attack to date – increased during the pandemic. No doubt the increasing number of insecure Internet of Things (IoT) devices that are being infected and recruited into attacking DDoS botnets are a major contributor.
How to develop a DDoS Posture
Organizations thinking through their DDoS defenses need to prepare for various forms. The main categories attackers use are protocol attacks, volume-based attacks, and application attacks. Some common attacks include:
- Syn flood attacks looking to exploit the traditional three-way handshake;
- UDP floods targeting random ports;
- Application attacks targeting specific application weaknesses; and
- Amplification and reflection attacks, both looking to overwhelm systems while using limited resources.
Along with newer methods that include SSL-based attacks, side channel attacks, and proxy server attacks, DDoS attacks are also increasingly used in blended attacks. For example, in several different instances, cybercriminals attacked a number of financial institutions by combining malware to steal funds and DDoS attacks to distract from the thefts.
How to mitigate DDoS attacks
Organizations that harness digital transformation (e.g. cloud adoption) to keep in-line with the changing technology landscape incorporate resources that sit outside their perimeter These resources can include DDL components from third-party libraries, data and intelligence feeds from external platforms or external data lakes that feed internal AI engines. In integrating these new resources, the boundary dissolves, and distinguishing the difference between ‘internal’ and ‘external’ becomes harder to accomplish.
Organizations considering their DDoS defense posture should start with some of the usual but none-the-less important steps, including implementing patching and updates to prevent exploitable loopholes, and increasing training to help CISO teams identify attacks earlier. Organizations should also look to overprovision bandwidth to adapt to sudden spikes and surges in traffic. Note that even if you significantly overprovision, all you are doing in the event of a DDoS attack is buying time.
At the technical level, some measures that can be taken to manage attacks can include:
- Add rules to your gateway infrastructure to drop packets from obvious sources of attack. This relies on having access to good threat intelligence, e.g. drop spoofed or malformed packages;
- Set lower SYN, ICMP, and UDP flood drop thresholds;
- Apply a rate limit to your router to prevent the web server from being overwhelmed;
- Activate Web Application Firewall (WAF) if you have it. This provides a layer of protection between your website and the traffic it receives.
Again, these steps will help you buy time – but they won’t solve the problem, as DDoS attacks are growing larger in scale.
Lastly, engage with your ISP or hosting provider, who can help to ‘black hole’ such traffic, preventing it from hitting your infrastructure. Organizations may also want to engage the services of a DDoS mitigation specialist.
Shift to Zero Trust to help manage attacks
Although the technical steps listed above can help, given the increasing threat of DDoS attacks, I suggest that the security industry needs to adopt a broader shift in our mindset and adopt the ‘Zero Trust’ concept. As a society, we have long embraced the concept of trusted systems. It is this trust that creates the vulnerabilities which cybercriminals exploit. The Zero Trust approach gives us that all-important rule for establishing and maintaining a secure work environment:
‘Trust nothing and treat everything as hostile – this includes the network itself, any host, any applications, or services running on the network.’
The Zero Trust approach to cyber security puts an end to the old castle-and-moat mentality (a long-held methodology where organizations focused on defending their perimeters, while also assuming that everything inside is ‘trustworthy’ and therefore automatically cleared for access). This mentality doesn’t create a secured castle – instead, it creates an egg: a security posture characterized by a hard perimeter and a soft interior.
People trust way too much. When we overlay that trait into the IT environment, it winds up allowing too many things to run too openly and with too many default connections.
The Zero Trust approach combines a range of existing technologies together with the right governance processes to overcome our trust bias and secure the organizational IT environment. Technologies such as multifactor authentication, Identity and Access Management (IAM), file system permissions, orchestration capabilities, analytics, encryption, as well as governance policies (such as giving users the least amount of access necessary to do their work) typically contribute to a Zero Trust approach.
Additionally, Zero Trust defenses require organizations to leverage internal and micro-segmentation. This helps enforce a granular perimeter based on a typical user’s location and other collated data that to determine whether to trust a user, device, or application. Zero Trust then requires conditional policy enforcement, i.e. a policy specifying that someone can now have access to something.
Today, about the only thing an organization really owns (or, more accurately, is responsible for) is the data. The Zero Trust approach of ‘continuous verification’ wraps tighter controls around data, reducing the risk of unauthorized access, manipulation, and movement of data – including malicious software. This allows us to focus our efforts on inspecting the data and the application of appropriate access control methodologies.
Zero Trust is not just about technology; it is about process and mindset. It is more of a philosophy than a toolbox. Many organizations are already utilizing many pieces of Zero Trust, such as multifactor authentication, IAM, and provision of permission. However, implementing and developing a Zero Trust environment isn’t just about implementing these technologies. It’s about beginning with and enforcing that all-important rule: trust nothing, and nothing has access until it has been verified.
The key point here is that Zero Trust works to eliminate trust. By doing so, you seek to eliminate the failure of trust as well as attacks, such as DDoS.
To learn more, register to access the on-demand recording of RSA Chief Digital Officer Dr. Zulfikar Ramzan’s November 5th webinar, “The Rise of Zero Trust in the Digital Era.” Listen in to hear Dr. Ramzan’s observations and recommendations on how to develop this new mindset and prepare for a new era of cyberthreats.